date:20191011

Re: [ossec-list] Custom Decoder

2019-10-11 Thread Diego S

Im using 2.0 version.

Im not able to find the syntax error.

Thanks!

El vie., 11 oct. 2019 a las 14:51, dan (ddp) () escribió:

> On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
> >
> > Thnaks you very much for your response.
> > Let me know if am i wrong. The decoder will be like this:
> >
> > 
> >   ^\d+\s\w\w\w\w\w, 
> > 
> >
> > 
> >   Brocade-format
> >   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
> \(\S+\), \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
> >   user,second
> > 
> >
> > 
> >   squid
> >   ^\d+ \S+ 
> >   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
> >   srcip,action,id,url
> > 
> >
> > But im getting a syntax error and i dont know why or where.
> >
> > 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex:
> '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
> (\S+)/\S+(/\w+/\S+)': 6.
> >
>
> I'm not sure what's wrong there. Which version of OSSEC are you using?
>
> > Thanks and regards!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com
> .
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com
> .
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4F%2BqTDKSiMJXBtCWmewR2SR1oDRiTpTwQBB%3Dm21mQrs-Ag%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-11 Thread dan (ddp)

On Fri, Oct 11, 2019 at 1:41 PM Diego S  wrote:
>
> Thnaks you very much for your response.
> Let me know if am i wrong. The decoder will be like this:
>
> 
>   ^\d+\s\w\w\w\w\w, 
> 
>
> 
>   Brocade-format
>   ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\), 
> \[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
>   user,second
> 
>
> 
>   squid
>   ^\d+ \S+ 
>   ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
>   srcip,action,id,url
> 
>
> But im getting a syntax error and i dont know why or where.
>
> 2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex: 
> '^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+, 
> (\S+)/\S+(/\w+/\S+)': 6.
>

I'm not sure what's wrong there. Which version of OSSEC are you using?

> Thanks and regards!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMpCiBxvjLv5_memm7H%2BFPO4JTeiKGDLqpw72f8RA6dvMw%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-11 Thread Diego S

Thnaks you very much for your response.
Let me know if am i wrong. The decoder will be like this:


  ^\d+\s\w\w\w\w\w, 



  Brocade-format
  ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d \(\S+\),
\[\S+\], \S+, \S+, /S+)/\S+(/\w+/\S+),
  user,second



  squid
  ^\d+ \S+ 
  ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+) 
  srcip,action,id,url


But im getting a syntax error and i dont know why or where.

2019/10/11 12:05:07 ossec-analysisd(1450): ERROR: Syntax error on regex:
'^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d\(\S+\), \[\S+\], \S+, \S+,
(\S+)/\S+(/\w+/\S+)': 6.

Thanks and regards!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAGQH4FLk08YBG4NhaVQ9vG-nB-zF2%2Bo1GwnxSSvRbE62MGH2qA%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-11 Thread dan (ddp)

I'm sure it can be cleaned up a lot

On Fri, Oct 11, 2019 at 12:06 PM dan (ddp)  wrote:
>
> On Fri, Oct 11, 2019 at 11:49 AM Diego S  wrote:
> >
> > Hi everyone!
> >
> > I wondering if we already have on ossec a custom decoder acording to this 
> > kind of log to get the red values.
> >
> > 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
> > diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, 
> > ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful 
> > login attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
> >
>
> Running this through ossec-logtest gives me this:
> **Phase 1: Completed pre-decoding.
>full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
> INFO, SECURITY,
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>hostname: 'ix'
>program_name: '(null)'
>log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
> SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
> Successful login attempt via REMOTE, IP Addr:
> pivonox.prod.pci.elan.red.com.uy.'
>
> **Phase 2: Completed decoding.
>decoder: 'squid-accesslog'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '35000'
>Level: '0'
>Description: 'Squid messages grouped.'
>
> I get the same output with and without your custom decoder. You'll
> need to put your decoder before the squid decoder.
>

I put this before the squid-accesslog decoder in decoder.xml:

  ^\d+\s\w\w\w\w\w, 


  Brocade-format
  
  ^\d\d\d\d/\d\d/\d\d-\d\d:\d\d:\d\d
\(\S+\), \[\S+\], \S+, \S+, (\S+)/\S+(/\w+/\S+),
  user,second


Now I get the following output:
**Phase 1: Completed pre-decoding.
   full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
   hostname: 'ix'
   program_name: '(null)'
   log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'

**Phase 2: Completed decoding.
   decoder: 'Brocade-format'
   dstuser: 'diego.gonzales'
   second: '/ssh/CLI'

I'm sure it can be cleaned up a lot, and using pcre2 might make it even better.

> >
> > I tried to do a custom one, but without success.
> >
> >
> > I let you here what ive did.
> >
> >
> >
> > This one is getting the "1022 Audit" for discriminate the one i need to the 
> > rest.
> >
> >
> > 
> >
> >   ^\d+\s\w\w\w\w
> >
> > 
> >
> >
> > .
> >
> >
> >  And here is when im trying to get the underlined red values at the 
> > begining of the text but im not sure:
> >
> >
> > -The type of the log i have to use or if it is necesary
> >
> > -The "order" value i have tho use to take this both red values.
> >
> > -The structure of the decoder.
> >
> >
> > 
> >
> >   Brocade-format
> >
> >   -
> >
> >> offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*
> >
> >   -
> >
> > 
> >
> >
> >
> > Thanks and Regards!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups 
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to ossec-list+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrUmbPfA1FwgzCXGAa2neBHW37pBDnWj0d4tNFxUKAaBQ%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

2019-10-11 Thread dan (ddp)

On Fri, Oct 11, 2019 at 11:49 AM Diego S  wrote:
>
> Hi everyone!
>
> I wondering if we already have on ossec a custom decoder acording to this 
> kind of log to get the red values.
>
> 1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
> diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI, 
> ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info: Successful login 
> attempt via REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.
>

Running this through ossec-logtest gives me this:
**Phase 1: Completed pre-decoding.
   full event: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020],
INFO, SECURITY,
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'
   hostname: 'ix'
   program_name: '(null)'
   log: '1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO,
SECURITY, diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI,
ad_0/SW-FC-2/FID 128, , Event: login, Status: success, Info:
Successful login attempt via REMOTE, IP Addr:
pivonox.prod.pci.elan.red.com.uy.'

**Phase 2: Completed decoding.
   decoder: 'squid-accesslog'

**Phase 3: Completed filtering (rules).
   Rule id: '35000'
   Level: '0'
   Description: 'Squid messages grouped.'

I get the same output with and without your custom decoder. You'll
need to put your decoder before the squid decoder.

>
> I tried to do a custom one, but without success.
>
>
> I let you here what ive did.
>
>
>
> This one is getting the "1022 Audit" for discriminate the one i need to the 
> rest.
>
>
> 
>
>   ^\d+\s\w\w\w\w
>
> 
>
>
> .
>
>
>  And here is when im trying to get the underlined red values at the begining 
> of the text but im not sure:
>
>
> -The type of the log i have to use or if it is necesary
>
> -The "order" value i have tho use to take this both red values.
>
> -The structure of the decoder.
>
>
> 
>
>   Brocade-format
>
>   -
>
>offset="after_parent">^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*
>
>   -
>
> 
>
>
>
> Thanks and Regards!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMo7nAub-vgNQod%3DATfMzke3WteHkaTjsR%3DfCJJLeH0QaQ%40mail.gmail.com.

[ossec-list] Custom Decoder

2019-10-11 Thread Diego S

Hi everyone!

I wondering if we already have on ossec a custom decoder acording to this 
kind of log to get the red values.

1022 AUDIT, 2019/07/26-18:02:33 (UYT), [SEC-3020], INFO, SECURITY, 
diego.gonzales/user/pivonox.prod.pci.elan.red.com.uy/ssh/CLI 
, ad_0/SW-FC-2/FID 
128, , Event: login, Status: success, Info: Successful login attempt via 
REMOTE, IP Addr: pivonox.prod.pci.elan.red.com.uy.


I tried to do a custom one, but without success.


I let you here what ive did.



This one is getting the "1022 Audit" for discriminate the one i need to the 
rest.




  ^\d+\s\w\w\w\w




.


 And here is when im trying to get the underlined red values at the 
begining of the text but im not sure: 


-The type of the log i have to use or if it is necesary

-The "order" value i have tho use to take this both red values.

-The structure of the decoder.




  Brocade-format

  -

  ^\d\d\d\d/\d\d/\d\d-\d\d:d\d:d\d\s\(\w+\),\s\p\w\w\w-\w\w\w\w\p,\s\w+,\s(\w+),\w+/\w+/\w+/\w+(/\w+),\.*

  -





Thanks and Regards!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/6d13f649-698c-41bf-b386-08602e9b2f80%40googlegroups.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

2019-10-11 Thread Prashanthi Soundarajan



On Friday, October 11, 2019 at 6:23:37 PM UTC+5:30, Prashanthi Soundarajan 
wrote:
>
>
>
>
>> Do the new files you create show up in your syscheck database file? 
>> (/var/ossec/queue/syscheck/syscheck.db for the OSSEC server) 
>>
>
>
> I am not able  to see database file. I can see a file name 
> /var/ossec/queue/syscheck/syscheck
>
> Is that what you are referring ?  if yes than I am not able to see the 
> newly created file name in this file.
>



Kindly ignore the above response . I am able to view the newly created file 
in (/var/ossec/queue/syscheck/syscheck)

+++25:33184:0:0:8f40752e7074f39fca815d476987bac5:2f06aa578c59786289dfa2b27c57e1aafbf9d489
 
!1570798265 /etc/prash

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/9e771c93-62b9-4f68-8613-3d61ca00c859%40googlegroups.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

2019-10-11 Thread Prashanthi Soundarajan




> Do the new files you create show up in your syscheck database file? 
> (/var/ossec/queue/syscheck/syscheck.db for the OSSEC server) 
>


I am not able  to see database file. I can see a file name 
/var/ossec/queue/syscheck/syscheck

Is that what you are referring ?  if yes than I am not able to see the 
newly created file name in this file.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/6a46a657-3176-46c0-b457-c20a25fcc879%40googlegroups.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

2019-10-11 Thread dan (ddp)

On Fri, Oct 11, 2019 at 7:53 AM Prashanthi Soundarajan
 wrote:
>
>
>
>>
>> All the samples are from the alerts you say you are getting emails
>> for. The important alerts to look for are the ones you're not getting
>> emails for.
>> Assuming those exist in the alerts.log file, check your smtp server's
>> mail logs. Perhaps it's discarding the messages or they aren't getting
>> transferred properly?
>>
>
>
> No those alerts are not in alerts.log . For example if I test creating  a new 
> file  in the specified directory .. am not able to see logs in alert.log
> so I guess there is less possibility for they aren't getting transferred 
> properly when it logs are not actually in alert.log

If they are not in the alerts.log file, then they won't get emailed.

Do the new files you create show up in your syscheck database file?
(/var/ossec/queue/syscheck/syscheck.db for the OSSEC server)

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMoFH-NBVLMgUXk9UFkLTFgfqV49%2BSZqeCd%3D7MKpxWwzJQ%40mail.gmail.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

2019-10-11 Thread Prashanthi Soundarajan




> All the samples are from the alerts you say you are getting emails 
> for. The important alerts to look for are the ones you're not getting 
> emails for. 
> Assuming those exist in the alerts.log file, check your smtp server's 
> mail logs. Perhaps it's discarding the messages or they aren't getting 
> transferred properly? 
>
>

*No those alerts are not in alerts.log . For example if I test creating  a 
new file  in the specified directory .. am not able to see logs in 
alert.log*

*so I guess there is less possibility for they aren't getting transferred 
properly when it logs are not actually in alert.log*

> >> 
> >> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec...@googlegroups.com. 
> >> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
>  
>
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/9fc6a473-a9ac-4aa3-ac09-48162be0064e%40googlegroups.com.
>  
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/240d3ebc-17ae-44e4-aa85-99bd10456808%40googlegroups.com.

Re: [ossec-list] About active responses

2019-10-11 Thread dan (ddp)

On Thu, Oct 10, 2019 at 5:10 AM Kyriakos Stavridis
 wrote:
>
> Hey guys,
>
> Can I have an active response only activated for a specific agent? (active 
> reponse's location is on ossec server)
>
> Example:
> I have agent1 and agent2, I have 2 active responses AR1 and AR2. I want AR1 
> to be triggered only by agent1 events and AR2 to be triggered only by agent2 
> events.
> Is this possible?
>

I can't think of a way to do this off the top of my head.

> Example config:
> 
>   commandname1
>   server
>   // some config here? specifying agent1
>   3
> 
>
> 
>   commandname2
>   server
>   // some config here? specifying agent2
>   3
> 
>
> Thanks! have a nice day!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/2a4319d3-dc11-4cd8-913c-e7d3fba3ece5%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp0tiN13LxZn_2ucZcd00T1aRVEVYkeBv7aFu_vbD-5sQ%40mail.gmail.com.

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

2019-10-11 Thread dan (ddp)

On Thu, Oct 10, 2019 at 9:24 AM Prashanthi Soundarajan
 wrote:
>
>
> Yes, I able see the alerts which I mentioned (" Level 2 - Unknown problem 
> somewhere in the system","Level 8 - Log file size reduced","Level 7 - 
> Integrity checksum changed."," Level 13 - Non standard syslog message")  in 
> /var/ossec/logs/alerts/alerts.log
>
> Sample:_
>
> ** Alert 1570713203.436414: mail  - syslog,errors,
> 2019 Oct 10 13:13:23 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: 
> /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
>  `transmit' : This dangerous monkey patch leaves you open to MITM attacks! 
> (StandardWarning)
>
> ** Alert 1570713205.436799: mail  - syslog,errors,
> 2019 Oct 10 13:13:25 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: 
> /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
>  `transmit' : This dangerous monkey patch leaves you open to MITM attacks! 
> (StandardWarning)
>
> ** Alert 1570713207.437184: mail  - syslog,errors,
> 2019 Oct 10 13:13:27 fc-app-7->/var/log/nginx/error.log
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> App 1663 stderr: 
> /data/helpkit/shared/bundler_gems/ruby/2.2.0/gems/rest-client-1.8.0/lib/restclient/request.rb:387:in
>  `transmit' : This dangerous monkey patch leaves you open to MITM attacks! 
> (StandardWarning)

All the samples are from the alerts you say you are getting emails
for. The important alerts to look for are the ones you're not getting
emails for.
Assuming those exist in the alerts.log file, check your smtp server's
mail logs. Perhaps it's discarding the messages or they aren't getting
transferred properly?

>>
>> > You received this message because you are subscribed to the Google Groups 
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an 
>> > email to ossec...@googlegroups.com.
>> > To view this discussion on the web visit 
>> > https://groups.google.com/d/msgid/ossec-list/22dc0593-8252-4bc6-b19c-61a67db7e522%40googlegroups.com.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ossec-list/9fc6a473-a9ac-4aa3-ac09-48162be0064e%40googlegroups.com.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/CAMyQvMobR33Vn0aDbdCYsq4Liuo1-pYtSKr7nAZbtM25Cda67Q%40mail.gmail.com.

Re: [ossec-list] Custom Decoder

Re: [ossec-list] Custom Decoder

Re: [ossec-list] Custom Decoder

Re: [ossec-list] Custom Decoder

Re: [ossec-list] Custom Decoder

[ossec-list] Custom Decoder

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

Re: [ossec-list] About active responses

Re: [ossec-list] Re: Not receiving email alert for file changes(FIM)

12 matches

Site Navigation

Mail list logo

Footer information